Today's determination by Privacy Commissioner Carly Kind marks a turning point in how Australian regulators interpret the Privacy Act. For the first time, so-called dark patterns — manipulative online design tactics used to pressure users into handing over personal information — have been found to breach the Australian Privacy Principles.
The ruling against 2Apply is not just a story about a rental platform. It is a signal to every Australian business that collects personal data online. The Commissioner has made clear that this determination is intended to reshape practices across entire sectors — not just the organisation named.
What 2Apply Did — and Why It Matters
The 2Apply platform collected personal information the Commissioner determined was not reasonably necessary for processing rental applications — including gender, bankruptcy status, citizenship details, vehicle registration numbers, emergency contacts, names and ages of dependants, and two full years of living history.
But the more significant finding was not what was collected. It was how it was collected. The Commissioner found that 2Apply employed three distinct dark pattern techniques to pressure applicants into providing data they were not legally required to give.
The Three Dark Patterns Found to Breach the Privacy Act
Confirmshaming
The platform warned applicants that withholding information "may affect whether you are considered as a suitable tenant" — framing the refusal to provide data as a choice likely to harm the applicant's prospects. Psychological pressure dressed as information.
Biased Framing
The platform suggested that providing more data would "help speed up your application process" — creating a false incentive and leading users to believe that volunteering unnecessary personal information was in their own interest.
Bundled Consent
Applicants were required to agree to direct marketing in order to submit their application at all. Consent was bundled with the core transaction — removing any genuine choice about how their data would be used commercially.
"Renters are really not left with any genuine choice or control over how much information they're being required to give."— Privacy Commissioner Carly Kind, 22 April 2026
This Is Not Just About Rental Platforms
The Commissioner has been explicit: this determination is intended to send a message to the entire ecosystem — not just RentTech providers, but real estate agents, property managers, and any organisation that collects personal information through online platforms.
The implications extend well beyond real estate. Any Australian business operating an online platform that collects personal information should be reading this ruling carefully. The three dark patterns identified — confirmshaming, biased framing, and bundled consent — are not unique to rental applications. They appear across insurance platforms, financial services onboarding, healthcare intake forms, HR platforms, and e-commerce checkouts every day.
The Commissioner's determination establishes that how you collect data is as important as what you collect. A technically lawful privacy policy does not protect you if your collection mechanism is manipulative.
What Australian Businesses Need to Do Now
Review what you collect. The Privacy Act requires that personal information be reasonably necessary for the function being performed. If you cannot articulate why each data field is needed, you should not be collecting it.
Audit your forms and onboarding flows. Look at every step of your data collection process through the lens of the three dark patterns identified today. All three are now confirmed Privacy Act violations.
Separate consent from transactions. If your platform requires users to agree to marketing or data sharing to access a core service, that bundled consent is now directly in the Commissioner's sights.
Check your third party disclosures. Cross-border transfers and third party disclosures must be clearly disclosed under APP 5 — not buried in a privacy policy no user will read.
Commission an independent review proactively. IRE was ordered to do this at its own expense after the fact. Doing it now costs a fraction of the regulatory, legal and reputational consequences of a determination against you.
What BlackFlag Advisory Found — Before the Ruling
This morning, before the Commissioner's determination was published, BlackFlag Advisory completed passive OSINT assessments on a number of Australian platforms operating in regulated sectors. In several cases we identified observable data collection practices, third party tracker configurations, and privacy policy disclosures that — in light of today's ruling — warrant immediate internal review.
We identified platforms in the insurance, financial services and healthcare sectors running multiple simultaneous session recording and keystroke capture tools, with cross-border data transfers referenced in privacy policies without granular recipient disclosure. Under the framework the Commissioner applied today, the question is not whether these practices are disclosed somewhere in a policy document. The question is whether users are being given genuine choice and control — and whether the collection is reasonably necessary in the first place.
The Commissioner was clear: this is only the beginning. More investigations are underway. More determinations will follow.
What does your platform look like from the outside?
BlackFlag Advisory conducts passive GRC assessments using publicly available data only. No systems accessed. We surface what regulators, lawyers and threat actors can already see about your organisation.
Request an Assessment